CA PRIVACY RIGHTS ACT GOES INTO EFFECT ON JANUARY 1, 2023: What it means for California businesses.
In January 2020, the California Consumer Privacy Act of 2018 (“CCPA”) became effective and ushered in a new era of privacy rights in CA. In November 2020, voters approved the California Privacy Rights Act (“CPRA”) to build on and modify the CCPA. The CPRA will go into effect on January 1, 2023, and promises to supply California consumers even more rights to control the personal information that businesses hold about them.
The CPRA created the California Privacy Protection Agency and empowered to the agency to enforce the CCPA. Additionally, the CPRA expands the protections of the CCPA by supplying several new rights for California consumers:
- Consumers have the right to:
- Ask businesses to correct inaccurate information;
- Direct businesses to only use sensitive information for limited purposes; and
- Businesses must notify consumers about how they can exercise these rights in their privacy policy.
These rights are in addition to the rights originally provided by the CCPA:
- The right to know about the personal information a business collects about them and how it is used and shared;
- The right to delete personal information collected from them (with some exceptions);
- The right to opt-out of the sale of their personal information; and
- The right to non-discrimination for exercising their CCPA rights.
Most violations of the CCPA can only be enforced by the Attorney General. The one exception is where there has been a data breach. In that case, the CCPA empowers consumers with a private right of action if their non-encrypted and nonredacted personal information has been stolen as a result of the business’s failure to “maintain reasonable security procedures”. Unfortunately, the CCPA does not define what exactly is required so we will need to see how the law is enforced by the Attorney General and how the California Privacy Protection Agency fills in the gaps with its administrative regulations (See https://cppa.ca.gov/regulations/pdf/20220708_npr.pdf).
Indeed, in August 2022 Attorney General, Rob Bonta, announced that a settlement had been reached with cosmetics retailer Sephora in which Sephora agreed to pay a $1.2 million penalty for violation of the CCPA. This was CA’s first enforcement action, and it provides some insight into how the CCPA will be enforced by the Attorney General.
What businesses does the CCPA apply to?
The CCPA applies to for-profit businesses that do business in California and meet any of the following:
- Have a gross annual revenue of over $25 million;
- Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
- Derive 50% or more of their annual revenue from selling California residents’ personal information.
For now, the CCPA targets primarily larger businesses that do substantial sales of customer personal information. However, it is likely that the CCPA and CPRA are just the beginning of California’s privacy rights enforcement. Even if your business is not currently impacted by the CCPA and CPRA, it is worthwhile to follow how these privacy laws are enforced and how businesses are dealing with the impacts.
-
Extensive Business KnowledgeRegardless of the complexity of your case, you can trust that your legal matters will be in competent hands when you turn to Poole Shaffery.
-
Proven Track RecordOur team of accomplished business attorneys has consistently delivered positive outcomes for our clients, resolving complex business matters with skill and expertise.
-
Experience and ReputationPoole Shaffery boasts a team of Santa Clarita business attorneys with strong reputations among judges and fellow lawyers, including AV Preeminent® rated professionals and Super Lawyers® honorees.